Among the blind, the squinter rules.           Security visualization in the field
About me Wim Remes  .Ernst and Young Belgium (ITRA FSO)        .Incident Response/Analysis        .Security Monitoring (SI...
DisclaimerThe opinions and ideasexpressed in this talkare my own and are notendorsed by anycorporate entityor church.
Agenda   1. please your audience   2. tools can [save|kill] your day   3. visualization hall of fail   4. tips & tricks   ...
-1-please your audience
Changing the tune  keeps people engagedpicture by tochis :http://www.flickr.com/photos/tochis/
who’s that for ?     Management              Technical         Historical       Comparative         (Near) Real Time   Sup...
you’re         the designer
Zen master of data visualization              Edward Tufte       data can be beautiful!      data should be beautiful!
Dashboard design guru                  Stephen Few       “The sad thing about dancing bearware       is that most people a...
-2-Tools can [save|kill] your day
What tools can I use ?                     cool kids use this (not!)
What tools can I use ?                   - Desktop                   - Server
Security tools will help ...      PS : export to CSV works well ... try it for a 5000+ host network ;)
credit where credit is due ...
this is going in the right direction...
Open source it is then ...    grep    sed    awk    perl    ...                       http://www.secviz.org               ...
-3-visualization hall of fail
PIE, it’s what’s in                    your face
whoa, I take the biggest piece !
sometimes however, they rock ...
to explain simple stuff ;-)
“if bullet points are the obviouskillers, pie charts are shurikens”
Even the best can fail...
3D ?
failing in style ...
playing hide and seek ?
we have to raise the bar                    or maybe not ...
Sometimes it’s easy ...        a 21st century bar(r) chart
-4-tips & tricks
sparklines (aka datawords)
Infographs  5   6   7   8 9 10     11   12 13  courtesy of ZoneAlarm (by Checkpoint)
choose your chart wisely            http://www.flickr.com/photos/amit-agarwal/3196386402/
Get data from external sources     - osvdb.org     - datalossdb.org     - various industry reports       - Verizon DBIR   ...
让我们作的更好 (let’s make things better)                                                           Vulnerabilities by Severity L...
Messy Dashboards (1/5)
Messy Dashboards (2/5)                    network status
Messy Dashboards (3/5)                1500                         Events/Second                1125                 750  ...
Messy Dashboards (4/5)                   Top attackers                      10.10.10.10                    192.168.10.234 ...
Messy Dashboards (5/5)                        Local Network - Inbound bytes          4000          3000          2000     ...
server health       network status                              Windows Unix Network1500         Events/Second            ...
3,1415926535897932384626433832
Blink...Understand                                                                                  DE    CN          US  ...
Ok, we can still say it with pie                    NL          CN               BE                            DE         ...
-5-let’s get to work
Davix | gltail            ruby | real time | logs            http://www.fudgie.org/                 http://dataviz.com.au/...
Davix | afterglow                    credit: David Bernal Michelena                    http://www.honeynet.org/challenges/...
Burpdot          http://un-excogitate.org/
Google Charts API      http://code.google.com/apis/chart/           http://search.cpan.org/dist/URI-GoogleChart/
Google Visualization API
Google Visualization APINevada;7526;6/11/10;Theft;Network ServerTexas;600;5/29/10;Theft;Network ServerCalifornia;1000;5/25...
jquery libraries                                       (almost)                        CC BY-NC 3.0             (To the cl...
Conclusions  - We need data standardization badly  - Understand your data  - We need to think outside the box  - There’s m...
Thank you wremes@gmail.com - @wimremes
Upcoming SlideShare
Loading in …5
×

Wim Remes SOURCE Boston 2011

1,538 views
1,468 views

Published on

Wim Remes SOURCE Boston 2011 Prezo
Among the blind, the squinter rules.
Security visualization in the field.

@wimremes on twitter
wremes-at-gmail-dot-com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,538
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Wim Remes SOURCE Boston 2011

  1. 1. Among the blind, the squinter rules. Security visualization in the field
  2. 2. About me Wim Remes .Ernst and Young Belgium (ITRA FSO) .Incident Response/Analysis .Security Monitoring (SIEM) .Security Management .Eurotrash podcast .InfosecMentors .Brucon @wimremes on twitter wremes-at-gmail-dot-com
  3. 3. DisclaimerThe opinions and ideasexpressed in this talkare my own and are notendorsed by anycorporate entityor church.
  4. 4. Agenda 1. please your audience 2. tools can [save|kill] your day 3. visualization hall of fail 4. tips & tricks 5. Let’s get to work
  5. 5. -1-please your audience
  6. 6. Changing the tune keeps people engagedpicture by tochis :http://www.flickr.com/photos/tochis/
  7. 7. who’s that for ? Management Technical Historical Comparative (Near) Real Time Supporting Decisions More complex & Business Objectives Facilitating the job Clear & Concise Actionable! Actionable ! 42
  8. 8. you’re the designer
  9. 9. Zen master of data visualization Edward Tufte data can be beautiful! data should be beautiful!
  10. 10. Dashboard design guru Stephen Few “The sad thing about dancing bearware is that most people are quite satisfied with the lumbering beast.” Alan Cooper, 1999, the inmates are running the asylum.
  11. 11. -2-Tools can [save|kill] your day
  12. 12. What tools can I use ? cool kids use this (not!)
  13. 13. What tools can I use ? - Desktop - Server
  14. 14. Security tools will help ... PS : export to CSV works well ... try it for a 5000+ host network ;)
  15. 15. credit where credit is due ...
  16. 16. this is going in the right direction...
  17. 17. Open source it is then ... grep sed awk perl ... http://www.secviz.org kudos to @zrlram
  18. 18. -3-visualization hall of fail
  19. 19. PIE, it’s what’s in your face
  20. 20. whoa, I take the biggest piece !
  21. 21. sometimes however, they rock ...
  22. 22. to explain simple stuff ;-)
  23. 23. “if bullet points are the obviouskillers, pie charts are shurikens”
  24. 24. Even the best can fail...
  25. 25. 3D ?
  26. 26. failing in style ...
  27. 27. playing hide and seek ?
  28. 28. we have to raise the bar or maybe not ...
  29. 29. Sometimes it’s easy ... a 21st century bar(r) chart
  30. 30. -4-tips & tricks
  31. 31. sparklines (aka datawords)
  32. 32. Infographs 5 6 7 8 9 10 11 12 13 courtesy of ZoneAlarm (by Checkpoint)
  33. 33. choose your chart wisely http://www.flickr.com/photos/amit-agarwal/3196386402/
  34. 34. Get data from external sources - osvdb.org - datalossdb.org - various industry reports - Verizon DBIR - EY GISS - Trustwave, McAfee, Symantec, ... - virustotal.com - cvedetails.com context creates clarity
  35. 35. 让我们作的更好 (let’s make things better) Vulnerabilities by Severity Level 5 3D? 4 3 2 1 0 25 50 75 100 compared to ? last year? last month?
  36. 36. Messy Dashboards (1/5)
  37. 37. Messy Dashboards (2/5) network status
  38. 38. Messy Dashboards (3/5) 1500 Events/Second 1125 750 375 0 12:00 12:10 12:20 12:30 12:40 12:50 13:00
  39. 39. Messy Dashboards (4/5) Top attackers 10.10.10.10 192.168.10.234 172.30.12.15 8.8.8.8 Top targets 172.16.12.30 172.16.12.15 172.16.12.230 172.16.12.120
  40. 40. Messy Dashboards (5/5) Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
  41. 41. server health network status Windows Unix Network1500 Events/Second Major Events1125 worms 750 portscans 375 failed logins 0 FTP 12:00 12:10 12:20 12:30 12:40 12:50 13:00 0 15 30 45 60 Top attackers Top targets 10.10.10.10 172.16.12.30 192.168.10.234 172.16.12.15 172.30.12.15 172.16.12.230 8.8.8.8 172.16.12.120 Local Network - Inbound bytes 4000 3000 2000 1000 0 9:00 10:00 11:00 12:00 13:00
  42. 42. 3,1415926535897932384626433832
  43. 43. Blink...Understand DE CN US NL US US BE Great Lakes KEYWEB TimeNet VolumeDrive EuroAccess RoadRunner ISPSYSTEM-AS Comnet AS
  44. 44. Ok, we can still say it with pie NL CN BE DE US
  45. 45. -5-let’s get to work
  46. 46. Davix | gltail ruby | real time | logs http://www.fudgie.org/ http://dataviz.com.au/blog/Visualizing_VOIP_attacks.html
  47. 47. Davix | afterglow credit: David Bernal Michelena http://www.honeynet.org/challenges/2010_5_log_mysteries
  48. 48. Burpdot http://un-excogitate.org/
  49. 49. Google Charts API http://code.google.com/apis/chart/ http://search.cpan.org/dist/URI-GoogleChart/
  50. 50. Google Visualization API
  51. 51. Google Visualization APINevada;7526;6/11/10;Theft;Network ServerTexas;600;5/29/10;Theft;Network ServerCalifornia;1000;5/25/10 and 5/26/2010;Other;PaperArizona;5893;5/15/10;Theft;LaptopKansas;1105;5/12/10;Theft;LaptopSouth Carolina;653;5/09/10;Theft;LaptopTexas;4083;5/04/10;Improper Disposal;Paper RecordsMaryland;937;5/03/10;Other;E-mailMichigan;2300;5/02/10;Theft;LaptopNew York;1020;4/30/10;Theft, Unauthorized Access;Laptop, Desktop Computer, ... http://code.google.com/apis/ajax/playground/? type=visualization#tree_map
  52. 52. jquery libraries (almost) CC BY-NC 3.0 (To the cloud !)
  53. 53. Conclusions - We need data standardization badly - Understand your data - We need to think outside the box - There’s more to visualization than pie charts - There’s tools out there: use them wisely
  54. 54. Thank you wremes@gmail.com - @wimremes

×